Issue DMARC issue with forward mail

[Sergio Manzi]

I didn't find that info: it's a logical deduction: "Elementary, my dear Watson!"

That diagnostic that you posted before (the one with the blue background), where does that comes from?

 

[G J Piper]

I didn't find that info: it's a logical deduction: "Elementary, my dear Watson!"
That diagnostic that you posted before (the one with the blue background), where does that comes from?

That is Sendgrid's listing of the error message sent back from Gmail.

 

[G J Piper]

Oh man! I think I agree with you... This is the section in my log showing that the email was actually rewritten, yes?

 

[Sergio Manzi]

I think it is quite evident that Sendgrid is doing what I said:
In that diagnostic Google is complaining about "Unauthorized mail from aol", but the mail your server is forwarding is not from AOL, it is from your domain, with AOL hidden in the local part of the email address (that's SRS...)

 

[Sergio Manzi]

Oh man! I think I agree with you... This is the section in my log showing that the email was actually rewritten, yes?

On spot!

 

[G J Piper]

On spot!

Yet another reason why I need to get Gooogle to open up the SMTP ports! AAArrrgh! Thanks for your help.
I guess I will confront Sendgrid about this now.

 

[Sergio Manzi]

Yet another reason why I need to get Gooogle to open up the SMTP ports! AAArrrgh! Thanks for your help.
I guess I will confront Sendgrid about this now.

Do the right stuff: move away from Google... (IMHO, that is...)

 

[MarkM]

I'll give you $5 to move away from Google....

 

[G J Piper]

Do the right stuff: move away from Google... (IMHO, that is...)

Amazon is the only other choice really and I will not go with them unless you want to buy my company and force the issue. lol you guys.

 

[MarkM]

Why is AWS the only other choice? They are both overpriced garbage and they get away with it due to their name....

 

[G J Piper]

Why is AWS the only other choice? They are both overpriced garbage and they get away with it due to their name....

I want a cloud server that I never have to worry about downtime due to hardware failure. Explaining to my customers that the server is down because the data center is changing out our <router|hard drive|server|etc> is not something I want to relive anymore. I have had several servers that would go down due to no fault of my own every year or so and I'm sick of it. With these cloud services hardware is all redundant, transparently, and can be upgraded with the slide of a setting instead of having to migrate to new hardware every time I need more power/storage/memory. Aside from this email issue I really like what I have now:
Google Cloud Platform

 

[Sergio Manzi]

Hey guys, thanks for the "Best Answer" (btw, I removed the flag...), but I must remind you that this is @Giuseppe's thread, you rascals!

And... (memo to me) there is a nice thread for bitching sharing important information about cloud service providers: Important - A special topic for chatter about Plesk in the Clouds.

Back to business!

I have a long message prepared but it wont send... I'll try dividing:

@Giuseppe, I have both my and your fragment from /var/log/maillog regarding the forwarding of a message from Yahoo to GMail.

In both I have modified email addresses so that we have yahoo_user@yahoo.(com | it) who sends to [email protected], message received on the Plesk host for the "example.com" domain, forwarded to [email protected].

 

[Sergio Manzi]

Mine:

Mar 12 14:57:18 mail postfix/smtpd[7604]: connect from sonic303-47.consmr.mail.ir2.yahoo.com[77.238.178.228]
Mar 12 14:57:19 mail postfix/smtpd[7604]: Anonymous TLS connection established from sonic303-47.consmr.mail.ir2.yahoo.com[77.238.178.228]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Mar 12 14:57:19 mail postfix/smtpd[7604]: 44A81C40: client=sonic303-47.consmr.mail.ir2.yahoo.com[77.238.178.228]
Mar 12 14:57:19 mail postfix/cleanup[7609]: 44A81C40: message-id=<[email protected]>
Mar 12 14:57:19 mail check-quota[7612]: Starting the check-quota filter...
Mar 12 14:57:19 mail /usr/lib64/plesk-9.0/psa-pc-remote[802]: handlers_stderr: SKIP
Mar 12 14:57:19 mail /usr/lib64/plesk-9.0/psa-pc-remote[802]: SKIP during call 'check-quota' handler
Mar 12 14:57:19 mail spf[7613]: Starting the spf filter...
Mar 12 14:57:19 mail spf[7613]: SPF result: pass
Mar 12 14:57:19 mail spf[7613]: SPF status: PASS
Mar 12 14:57:19 mail /usr/lib64/plesk-9.0/psa-pc-remote[802]: handlers_stderr: PASS
Mar 12 14:57:19 mail /usr/lib64/plesk-9.0/psa-pc-remote[802]: PASS during call 'spf' handler
Mar 12 14:57:19 mail postfix/qmgr[1537]: 44A81C40: from=<[email protected]>, size=2726, nrcpt=1 (queue active)
Mar 12 14:57:19 mail postfix-local[7615]: postfix-local: [email protected], [email protected], dirname=/var/qmail/mailnames
Mar 12 14:57:19 mail dk_check[7616]: Starting the dk_check filter...
Mar 12 14:57:19 mail dk_check[7616]: DKIM verify result: DKIM verification (d=yahoo.com, 2048-bit key) succeeded
Mar 12 14:57:19 mail postfix/smtpd[7604]: disconnect from sonic303-47.consmr.mail.ir2.yahoo.com[77.238.178.228]
Mar 12 14:57:19 mail dmarc[7617]: Starting the dmarc filter...
Mar 12 14:57:19 mail dmarc[7617]: DMARC: PASS message for [email protected]
Mar 12 14:57:19 mail check-quota[7622]: Starting the check-quota filter...
Mar 12 14:57:19 mail journal: plesk sendmail[7621]: handlers_stderr: SKIP
Mar 12 14:57:19 mail journal: plesk sendmail[7621]: SKIP during call 'check-quota' handler
Mar 12 14:57:19 mail dk_sign[7624]: Starting the dk_sign filter...
Mar 12 14:57:19 mail journal: plesk sendmail[7621]: handlers_stderr: PASS
Mar 12 14:57:19 mail journal: plesk sendmail[7621]: PASS during call 'dd51-domainkeys' handler
Mar 12 14:57:19 mail postfix/pipe[7614]: 44A81C40: to=<[email protected]>, relay=plesk_virtual, delay=0.5, delays=0.34/0.01/0/0.14, dsn=2.0.0, status=sent (delivered via plesk_virtual service)
Mar 12 14:57:19 mail postfix/qmgr[1537]: 44A81C40: removed
Mar 12 14:57:19 mail postfix/pickup[2501]: 8652AD9B: uid=30 from=<[email protected]>
Mar 12 14:57:19 mail postfix/cleanup[7609]: 8652AD9B: message-id=<[email protected]>
Mar 12 14:57:19 mail check-quota[7628]: Starting the check-quota filter...
Mar 12 14:57:19 mail /usr/lib64/plesk-9.0/psa-pc-remote[802]: handlers_stderr: SKIP
Mar 12 14:57:19 mail /usr/lib64/plesk-9.0/psa-pc-remote[802]: SKIP during call 'check-quota' handler
Mar 12 14:57:19 mail spf[7630]: Starting the spf filter...
Mar 12 14:57:19 mail spf[7630]: SPF result: pass
Mar 12 14:57:19 mail spf[7630]: SPF status: PASS
Mar 12 14:57:19 mail /usr/lib64/plesk-9.0/psa-pc-remote[802]: handlers_stderr: PASS
Mar 12 14:57:19 mail /usr/lib64/plesk-9.0/psa-pc-remote[802]: PASS during call 'spf' handler
Mar 12 14:57:19 mail postfix/qmgr[1537]: 8652AD9B: from=<[email protected]>, size=3749, nrcpt=1 (queue active)
Mar 12 14:57:19 mail postfix/smtp[7631]: 8652AD9B: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[108.177.119.26]:25, delay=0.43, delays=0.09/0.02/0.14/0.19, dsn=2.0.0, status=sent (250 2.0.0 OK 1520866640 o18si2654855edf.545 - gsmtp)
Mar 12 14:57:19 mail postfix/qmgr[1537]: 8652AD9B: removed

Yours:

Mar 9 10:39:09 mail postfix/smtpd[2386]: connect from sonic307-54.consmr.mail.ir2.yahoo.com[87.248.110.31]
Mar 9 10:39:11 mail postfix/smtpd[2386]: 868893614CD: client=sonic307-54.consmr.mail.ir2.yahoo.com[87.248.110.31]
Mar 9 10:39:11 mail postfix/cleanup[2390]: 868893614CD: message-id=<[email protected]>
Mar 9 10:39:11 mail /usr/lib64/plesk-9.0/psa-pc-remote[24043]: handlers_stderr: SKIP
Mar 9 10:39:11 mail /usr/lib64/plesk-9.0/psa-pc-remote[24043]: SKIP during call 'limit-out' handler
Mar 9 10:39:11 mail check-quota[2392]: Starting the check-quota filter...
Mar 9 10:39:11 mail /usr/lib64/plesk-9.0/psa-pc-remote[24043]: handlers_stderr: SKIP
Mar 9 10:39:11 mail /usr/lib64/plesk-9.0/psa-pc-remote[24043]: SKIP during call 'check-quota' handler
Mar 9 10:39:11 mail spf[2393]: Starting the spf filter...
Mar 9 10:39:11 mail spf[2393]: SPF result: pass
Mar 9 10:39:11 mail spf[2393]: SPF status: PASS
Mar 9 10:39:11 mail /usr/lib64/plesk-9.0/psa-pc-remote[24043]: handlers_stderr: PASS
Mar 9 10:39:11 mail /usr/lib64/plesk-9.0/psa-pc-remote[24043]: PASS during call 'spf' handler
Mar 9 10:39:12 mail postfix/qmgr[3853]: 868893614CD: from=<[email protected]>, size=307139, nrcpt=1 (queue active)
Mar 9 10:39:12 mail postfix-local[2395]: postfix-local: [email protected], [email protected], dirname=/var/qmail/mailnames
Mar 9 10:39:12 mail spamassassin[2396]: Starting the spamassassin filter...
Mar 9 10:39:12 mail spamc[2397]: skipped message, greater than max message size (256000 bytes)
Mar 9 10:39:12 mail postfix/smtpd[2386]: disconnect from sonic307-54.consmr.mail.ir2.yahoo.com[87.248.110.31]
Mar 9 10:39:12 mail dk_check[2398]: Starting the dk_check filter...
Mar 9 10:39:12 mail dk_check[2398]: DKIM verify result: DKIM verification (d=yahoo.it, 2048-bit key) succeeded
Mar 9 10:39:12 mail journal: plesk sendmail[2402]: handlers_stderr: PASS
Mar 9 10:39:12 mail journal: plesk sendmail[2402]: PASS during call 'limit-out' handler
Mar 9 10:39:12 mail check-quota[2404]: cannot get sender domain
Mar 9 10:39:12 mail check-quota[2404]: Unable to intialize check-quota mail handler
Mar 9 10:39:12 mail journal: plesk sendmail[2402]: Error during 'check-quota' handler
Mar 9 10:39:12 mail postfix/pickup[32018]: 492603627A5: uid=30 from=<[email protected]>
Mar 9 10:39:12 mail postfix/cleanup[2390]: 492603627A5: message-id=<[email protected]>
Mar 9 10:39:12 mail postfix/pipe[2394]: 868893614CD: to=<[email protected]>, relay=plesk_virtual, delay=3.2, delays=2.9/0/0/0.24, dsn=2.0.0, status=sent (delivered via plesk_virtual service)
Mar 9 10:39:12 mail postfix/qmgr[3853]: 868893614CD: removed
Mar 9 10:39:12 mail postfix/qmgr[3853]: 492603627A5: from=<[email protected]>, size=307822, nrcpt=1 (queue active)
Mar 9 10:39:12 mail postfix/smtp[2408]: 492603627A5: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[66.102.1.26]:25, delay=0.37, delays=0.06/0.01/0.07/0.23, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[66.102.1.26] said: 550-5.7.1 Unauthenticated email from yahoo.it is not accepted due to domain's 550-5.7.1 DMARC policy. Please contact the administrator of yahoo.it domain if 550-5.7.1 this was a legitimate mail. Please visit 550-5.7.1 Control unauthenticated mail from your domain - Gmail Help to learn about the 550 5.7.1 DMARC initiative. j18si547897wrc.479 - gsmtp (in reply to end of DATA command))
Mar 9 10:39:12 mail postfix/cleanup[2390]: A4FC83627A4: message-id=<[email protected]>
Mar 9 10:39:12 mail postfix/bounce[2409]: 492603627A5: sender non-delivery notification: A4FC83627A4

 

[Sergio Manzi]

In the first part of both we have the message received (ID=44A81C40 in mine, ID=868893614CD in yours), in the second part we have the message sent (ID=8652AD9B in mine, ID=492603627A5 in yours)

In the first part (receiving from Yahoo) I see differences

• I pass the message through dk_check (that perform DKIM verification) before disconnecting smtpd from Yahoo while you pass it after disconnecting. But maybe this is only due to a slight misalignment in the logging process...
• I pass the message through dmarc (dmarc[7617]: Starting the dmarc filter...), but you don't.
• you have an error in the quota checking process but this is irrelevant here.
• I pass the message through dk_sign (dk_sign[7624]: Starting the dk_sign filter...), but you don't.

In the second part (forwarding to Gmail) instead:

• I pass the outgoing message through spf (spf[7630]: Starting the spf filter...), again you don't. I don't exactly know what this filter does, but surly it isn't the one that generate the SPF address: we both have a "from" address that, beside the spf hash and paraphernalia, reads "[email protected]". I have a vague idea, but so vague that I don't dare to express...
• then my message is accepted by GMail, while your is rejected and the diagnostic says that: ... Unauthenticated email from yahoo.it is not accepted ...

 

[Sergio Manzi]

My (minimally educated) guess is that you don't "SPF/DKIM/DMARC process" (authenticate) the incoming mail from Yahoo and Gmail refuses to receive the forwarded mail in this state.

I would say that probably you have something wrong in your "Server-Wide Mail Settings": check that Under DMARC you have "Enable DMARC to check incoming mail" and under DKIM you have "Allow signing outgoing mail"

 

[Sergio Manzi]

@G J Piper I have reviewed your log and I'm wondering if you have the same issue... after all maybe sendgrid is not the culprit...

 

[Sergio Manzi]

do you have
127.0.0.1:12346 inet n n n - - spawn user=popuser:popuser argv=/usr/lib64/plesk-9.0/postfix-srs
in your /etc/postfix/master.cf ?

I don't have that in my /etc/postfix/master.cf
Also, I don't have any /usr/lib64/plesk-9.0/postfix-srs

... and this is another hint (which previously I failed to note, sorry) that maybe something is wrong in your system...

 

[G J Piper]

do you have
127.0.0.1:12346 inet n n n - - spawn user=popuser:popuser argv=/usr/lib64/plesk-9.0/postfix-srs
in your /etc/postfix/master.cf ?

... and this is another hint (which previously I failed to note, sorry) that maybe something is wrong in your system...

Yeah that is strange, since this is a reformatted system setup by Plesk/Google. I just migrated to this fresh server exactly 57 days ago. However I do see that the emails' "From:" headers that are forwarded are getting rewritten, so...

 

[Sergio Manzi]

I would say that probably you have something wrong in your "Server-Wide Mail Settings": check that Under DMARC you have "Enable DMARC to check incoming mail" and under DKIM you have "Allow signing outgoing mail"

@G J Piper can you tell me what your setting are in that departement... @Giuseppe confirmed me that he doesn't have DMARC activated, for unrelated issues that we are discussing in private (and in Italian!)

Next days I'll be busy and I don't know how much I could be here in the forum...

 

[G J Piper]

@G J Piper can you tell me what your setting are in that departement... @Giuseppe confirmed me that he doesn't have DMARC activated, for unrelated issues that we are discussing in private (and in Italian!)

Next days I'll be busy and I don't know how much I could be here in the forum...

I've tried it with DMARC on and off, SPF on and off, and DKIM on and off, and have settled on this: